Sunday - October 28, 2007 12:13 PM

I admit it, I was one of those people who bought
Mac OS X 10.5 Leopard on the first day. Here are my first
impressions.

CRITICAL BUG
ALERT!First, if you're upgrading to
Leopard, there is a critical bug in the system which shipped on the DVD. Under
some conditions, this bug can cause the Keychain manager to wipe out the user
password, making it impossible to log in. If the user account is also the admin
account (as is the case on most single user machines), this will also make it
impossible to install system updates, manage other accounts,
etc.

After upgrading to Leopard, run
Software Update immediately, before running any other programs,
especially Mail and Safari (both of which make heavy use of the keychain).
Apple has published a fix, and running Software Update right away will prevent
the bug from affecting you. You should "Cancel" any requests to access the
Keychain before installing the
update.

If you do get bit by the bug
and find yourself unable to login, it is possible to reset your password with
about five minutes effort. Here are the official instructions for recovering a lost password after a
Leopard upgrade. It is not difficult, but it requires booting into
UNIX single user mode, and entering some obtuse command lines. Just follow the
instructions precisely as written and you'll be
fine.

Apparently this bug affects
accounts which were originally created on 10.2.8 or earlier, even if that
account was originally created on a different machine. So if you've been
migrating your accounts through a couple generations of Macs, there's a good
chance you're vulnerable. She Who Puts Up With Me is a software QA
professional, and she said she can see how this bug slipped through: there's a
limit to how many generations of hardware and software you can test through, and
this is one of those crazy edge cases which is rare in the development
environment, but not that unusual in the
field.

Other
ImpressionsOverall, this is probably the
"dirtiest" OS X release I can recall, and I've been on OS X since 10.1. In
addition to losing my login password, several of my system and Mail preferences
were reset (minor inconvenience), permissions for personal web sharing got
screwed up (still not fixed yet), and I had to reset my local WiFi network
settings (also a minor inconvenience). In other words, don't plan on this being
as simple of an upgrade as earlier version. You will have to do some
tweaking.

That said, I also think this
is one of the most worthwhile OS X releases I can recall. It's worth the
nuisance (and in my case, pain) of the upgrade for a single new feature: Time
Machine.

I've been struggling with
backups on my computers for years, trying to find a system which would be (a)
painless, (b) comprehensive, and (c) completely transparent. Time Machine
delivers on all three. Just turn it on, and that's it. Forever more, the
system will keep incremental backups every hour, and give you a slick tool to
recover lost files (or the entire system, if it comes to
that).

My one complaint about Time
Machine is that the user interface is really cheezy. On the other hand, as John
Gruber argues, that might be a good thing, since the
cheez-whiz UI will get people to actually turn it on, and once on, it
will run silently in the background forever, defending the user against hardware
failure and accidental deletion.

As an
aside, since Time Machine backs up everything, this is likely to hand a
new forensic tool to those investigating computer crimes and kiddie porn cases,
I'm just sayin'. You can specify a list of files and folders to exclude from
Time Machine, however, so if you have something you don't want the FBI to know
about, you should take advantage of that. The "Secure Empty Trash" feature will
not remove the Time Machine archives--though it probably
should.

Anyway, I went out and bought a
cheap 1TB external drive array (less than $300), divided it into two partitions
for my laptop and my wife's, and installed it as a shared drive on our iMac.
The shared partitions work perfectly as backup drives, and now whenever our
laptops are on the home network we have backups. Utterly painless: we don't
have to do anything other than connect to the
WiFi.

Plan on letting the computer run
overnight for the initial backup, though. It takes a
while.

One feature I would like to have
in Time Machine is the option to create multiple backup volumes. My laptop
spends about as much time at the office as at home, and it would be useful (not
to mention good practice) to have a backup drive in each location. Since Time
Machine is so painless to use, I can see this as a very reasonable thing to do.
However, as near as I can tell, Time Machine doesn't permit more than one backup
volume.

Other Nice
StuffSince we have four Mac OS machines
in our home (laptop for each of us, Mini for the kids, and an iMac which we use
as a home server), networking and sharing is a fairly big deal. I'm really
happy to see the return of shared folders/drives. What's more, the interface
for file sharing is simpler and easier than
ever.

Having a self-cleaning Guest
account is really nice. Haven't used it, but I'm sure I
will.

I haven't had a chance to play
with the new Parental Controls yet, but I'm sure I will. That feature gets a
lot of workout on the kids' machine.

I
also haven't had a chance to play with spaces yet, but that's also going to be a
useful feature. Now we just need someone to hack the motion sensor on newish
laptops so you can change screens by smacking the side of the
computer.

On the downside, I really
don't care for the translucent menu bar, and the glowing dot on the dock for
active apps (replacing the black triangle) is hard to see. Also, having open
Finder windows seems to mysteriously suck CPU from time to time. Closing the
window fixes the problem, but I'm not sure what exactly the processor time is
being used for.

Thursday - October 18, 2007 04:45 PM

Without much fanfare, my iPhone passed its three
month birthday a few days ago. That's long enough for the honeymoon to be
mostly over (at least, it was with my earlier smartphone). So what do I
think?

First, this is the first phone I've owned in many
years which I didn't actively hate after three months--the last phone I really
liked for a long time was a Nokia 8000-series phone from about 1997 or 1998. I
don't remember the model, but it was tiny, chrome, and had a nifty slide-out
keypad cover. So the iPhone passes the not-loathing test, which is unusual
right there.

On the positive
side:

1) The web browser works really
well. The browser in my Treo sucked canal water, so I never used it. I use the
iPhone for surfing the web all the time, and I never thought I'd get this
addicted to having a browser in my
pocket.

2) Google maps is awesome, even
without GPS. The best part is live traffic information, which is really helpful
during rush hour. If a future revision includes GPS, then the maps function
could be a killer product all by
itself.

3) YouTube is fun, and even
though I don't use it all that much, the kids do. It's sometimes a useful way
to distract them so I can get something else
done.

4) Video podcasts are a great way
to pass a long flight. The big screen makes the iPhone almost as good as one of
those portable DVD players, but smaller and fits in your
pocket.

5) This is still the coolest
gizmo around. Even after using it for three months, it still seems like
something which dropped through a time vortex from three hundred years in the
future.

Observations which are neither
positive nor negative:

1) Stocks,
weather, notes....meh. I use them very occasionally, but if I had the option,
I'd probably want to ditch those in favor of something
else.

2) I'd say I'm about equally as
clumsy on the touchscreen keypad as I was on my Treo's mini keyboard. I've come
to rely on the autocorrect feature, though, and every now and then it won't
correct something and I'll text She Who Puts Up With Me something like "I'm
kwabumf the office now."

3) The iTunes
ringtone maker sucks, but Ambrosia's iToner now works with version 1.1.1, and
that rocks. I didn't really care about ringtones until Apple messed it up so
badly.

4) I don't really care about
unlocking or jailbreaking my iPhone, so the whole kerfuffle about version 1.1.1
really didn't matter to me.

5) The $200
price drop also didn't matter to me, but the $100 credit was pretty cool. We
used ours to buy a nice pair of Bose ANR
headphones.

Negative
stuff:

1) No to-do list? Oh wait, I
never used the to-do list.
Nevermind.

2) Since 1.1.1, the iPhone
won't automatically connect to our home wifi network: we have to go into
Settings and choose it manually from the list of available networks. This may
be because our home network doesn't broadcast its
SSID.

3) Safari is still unstable, and
crashes every now and then. On the other hand, the crashing is so very subtle
you sometimes don't even notice it: in the worst case it drops back to the home
screen, and sometimes it simply has to reload the open pages when you select
Safari.

4) Mail is cumbersome, but
mostly because it lacks just a couple of features. If it did rules filtering
and junk mail filtering and made it easier to delete multiple messages, that
would solve most of my complaints. It's still better than on my Treo, which
froze regularly when I tried to read
mail.

Saturday - June 30, 2007 01:22 PM

I stopped by one of the local Apple Stores this
morning to get a glimpse of the almost-mystical iPhone.

I came away impressed. I'm fairly confident that
when my old Treo dies (and it will soon--only three of the seven screws holding
my Treo together remain) it will be replaced by an
iPhone.

It's not that the iPhone has
any features my Treo lacks. In many ways, the Treo is more feature-complete.
But Apple has once again figured out that what a lot of people want is not
features but
useful
features.

For example, I almost never
used the Web browser or e-mail on my Treo because they suck. E-mail I gave up
on almost immediately because it consistently crashed my Treo, and was useless
for navigating my inboxes in multiple accounts. The web browser is more stable,
but made navigating real web pages a painful experience which was almost never
worth it.

iPhone seems to have solved
both problems.

I also came away with
the impression that this is clearly a 1.0 product (though a really awesome one).
Some basic features are inexplicably lacking--for example, while I could program
it to dial a series of digits after calling a phone number (useful for
automatically logging in to a corporate voicemail box), I could not get it to
wait for user input before dialing the extra digits. Others have commented on
the missing copy/paste functionality, and the fact that you can't do instant
messaging. The lack of IM is possibly AT&T trying to protect its lucrative
text messaging business, but I suspect the noise to add it will quickly become
loud enough to force Apple to add IM in fairly short
order.

(I also suspect it won't be long
before people get IM to work on the iPhone through a browser-based
client.)

There's no doubt in my mind
that the iPhone is a game-changer. Despite its flaws, all other smartphones are
awkward and clunky in comparison, bloated with too many tiny buttons and
features made useless through interface obscurity. And just as the original
iPod eventually yielded the Nano and Shuffle, it's exciting to contemplate where
this product will be in five years.

Tuesday - June 12, 2007 09:47 AM

I've had some time to dig a little more deeply
into Ruby on Rails, and I'm still impressed.

I've been building a pilot logbook application,
and in just a few hours of work (maybe 7-8 hours so far, more than half of which
was just getting back up to speed on programming and object-oriented techniques)
I've built a nearly feature-complete, if basic. I've even had time to add some
HTML decoration and formatting, and do a fair bit of user interface
refinement.

The coolest thing about
Ruby on Rails, though, has been the support for generating "scaffolding," basic
interfaces for creating, updating, and deleting database entries. The
scaffolding itself consists of only a few lines of auto-generated code (with
lots of stuff running invisibly in the framework), but it radically changes the
development process.

The magic is that
all you need to do is define the stuff you want to store in the database, and
from that point forward you have a functional program. It may be crude, it may
not provide the features or user interface you want, but it works. That means
that as you develop, rather than having to write 80% of the program before you
can start actually using (and testing) it, you can start using and testing it
almost immediately. Almost the entire focus shifts from working to get basic
functionality, to adding features and refining the
interface.

That's not just more
efficient, it's also a lot more rewarding. There's less of an initial hump to
get over before you feel like you've gotten something
done.

As an example, take a basic
general ledger program. Traditionally, you might start by defining a general
ledger database, then write the business logic and create a user interface for
entering transactions. There's nothing functional, though, until both the
business logic and user interface are significantly
complete.

Under Ruby on Rails, you
start by defining the fields you want to store in your general ledger (most
basically, a general ledger entry will have an account to credit, an account to
debit, and a dollar amount). As soon as that's done, you have (for free!) a
crudely functional general ledger package. The user interface will suck, and it
won't run reports or validate entries, but it will exist and be functional. So
then you scratch your chin and say, "I don't like this interface for adding a
new ledger entry, I'll replace it with a new one." When that's done, you
scratch your chin again and say, "It needs to make sure the credit and debit
amounts match," or "I need to be able to generate the balance for any account on
any date," and you write that. Eventually you work your way down to details
like tracking receivables, calculating depreciation, and so forth, but there's
never a point in the process where you don't have working
code.

This iterative development cycle
is nothing new for those wise in the ways of Agile Development, though I think
Ruby on Rails dramatically cuts the time required to get to first
base.

Tuesday - May 29, 2007 04:10 PM

There's no lack of e-mail alternatives: IM, SMS,
web-forums, and blogs all replace at least some of the functionality of e-mail.
But nothing seems well positioned to step up as the next generation of
ubiquitous messaging service.

A big
part of the problem is that the very feature which makes e-mail so useful--the
ability to send and receive messages to and from anyone--is the same feature
which makes it so vulnerable to
spam.

It wouldn't be hard, for example,
to set up a closed e-mail network where you will only get messages from your
pre-approved "friends." As Fred correctly points out, many social networks
already include this feature, and spam is generally not an issue on those
networks.

Simply requiring a sender to
ask to be a "friend" really just pushes the problem to a different level,
though. A spammer could just as easily send millions of "be my friend" requests
and be as much of a headache as they are with spam e-mail. Worse, it wouldn't
do much about phishing schemes, since those could be crafted to look like
legitimate requests from real
companies.

The fundamental dilemma is
as follows:

A) No replacement e-mail
system will take off unless it's ubiquitous. The fact that anyone can
communicate with anyone is the main reason the current e-mail system still
dominates, rather than being replaced by some other (presumably closed)
messaging system.

B) Companies and ISPs
won't adopt a new messaging system unless they have the ability to administer
their own accounts--a central Ministry of E-mail Management won't
fly.

C) But as long as companies can
create their own accounts, spammers can do the same to generate tons of spam (or
possibly "be my friend" messages) from millions of unique
addresses.

D) The only way to prevent
the spammers is thus to break the anyone-to-anyone communications in
e-mail.

So to fix e-mail, you either
need centralized account management or you need to limit the ability for anyone
to send a message to anyone else. The former is unacceptable to the businesses
which actually run e-mail servers, and the latter limits the network effect
which makes e-mail useful.

There are a
couple of technical solutions which I could see as breaking the
logjam:

1) A reliable, unobtrusive way
to distinguish human- from machine-generated messages. The current
"challenge-response" systems are very effective, but too obnoxious for
widespread adoption. If you could figure this out, though, it would make it
possible to apply different rules to messages depending on the sentience of the
sender.

2) It may be possible to
modestly limit the "anyone to anyone" messaging feature of e-mail in a way which
blocks most unwanted messages without getting in the way of human senders.
Whitelisting and Blacklisting are forms of this approach, but not powerful
enough by themselves to solve the problem.

Wednesday - February 14, 2007 02:05 PM

Here's an interesting article about the security model for the $100 laptops.
Basically, they're relying on extreme segmentation--each application plays in
its own sandbox, so malicious software can't do anything to the system or
applications even if it gets installed.

It also looks like they're using secure
application signing as a ways to give applications access to resources outside
their sandbox--possibly a weakness (if they key is ever compromised), but better
than what anything else does
today.

I've thought about this idea in
the past, and it's very sensible. Very few applications actually need to access
data and resources from other applications, and allowing open communications
creates a lot of opportunities for mischief.

Wednesday - January 10, 2007 08:22 PM

So, let me get this straight.

For probably three years running, rumors about
Apple making a mobile phone have been running wild. This rumored gadget is
universally dubbed the iPhone, if for no other reason than its the obvious
name.

This is one of those
stories where there has to be more to it than meets the
eye.

Here's what I think is going
on....

Cisco acquired the "iPhone"
trademark in 2000 when it acquired Infogear, which had been selling a line of
iPhone-branded products. Apparently, though, Cisco had not been selling
anything called iPhone for several
years.

Apple almost certainly knew
this, since their lawyers certainly found the original trademark issuance, and
also researched the subject enough to know that the trademark had fallen into
disuse. So Apple went ahead with the iPhone name--at least partly because it
was the obvious choice, and partly because everyone was already calling it
iPhone--figuring that they could pay Cisco a few million dollars and get the
trademark transferred.

Meanwhile, Cisco
saw that the iPhone name was also both the obvious choice for Apple, and that
everyone was already using the name. So they figured that the iPhone name
should be worth rather a lot to Apple, and added a couple zeroes to the price
Apple offered.

Apple, of course,
balked. Especially since (as they no doubt pointed out to Cisco), Cisco hadn't
actually been selling anything called iPhone for quite some time. So if it came
to a lawsuit, Cisco's trademark could be nullified for disuse. Under American
trademark law, it isn't enough to be issued a trademark: you have to actually
use the trademark and defend it from infringement if you want to keep other
companies from using it.

So Cisco
quickly rebranded some other new product as iPhone and rushed it to market in
order to maintain the trademark. It was important that Cisco's iPhone be
introduced before Apple's iPhone, otherwise Apple would have a much stronger
claim that Cisco wasn't actually using the
name.

That's why we saw Cisco announce
an iPhone just weeks before Apple. They needed to shore up their bargaining
position before Jobs' big speech. It doesn't matter that practically everyone
with a live Internet connection thinks of Apple--not Cisco--as the iPhone
company. All that matters is that Cisco can claim that Apple stole its product
name.

Now that it's all out in the
open. Cisco is irritated that Apple won't pay up for what is (to Apple) a very
valuable trademark. Apple is annoyed that Cisco is playing games to extract
extra money from what had been a moribund name. And now they're taking it to
court.

The conventional wisdom is that
Cisco's going to win in court. But I think Apple has a better chance than most
give it credit. It is possible to invalidate a trademark by showing that the
name has become generic--which is only a small step from showing that the name
is not associated in most people's minds with the product claiming the
trademark. Apple will have an easy time proving that (a) basically nobody knows
about the Cisco iPhone, while the whole planet knows about Apple's version; (b)
Cisco had not used the name for a long time until suspiciously introducing an
iPhone immediately before Apple; and therefore (c) that Cisco was attempting in
bad faith to reclaim a trademark which it had stopped using, solely in an
attempt to extract more money from Apple, the company universally associated
with the iPhone name.

Of course, I have
no idea if any of this is true. So my opinion is worth what you paid for
it.

Tuesday - January 09, 2007 06:36 AM

Everyone is anticipating that Apple will announce
a mobile phone today, probably in partnership with Cingular (as reported in the
Wall Street Journal).

I'm having a hard time getting excited. The
mobile phone business just doesn't seem conducive to Apple-style "it just
works." The customer service stinks, coverage is often spotty, carriers have a
vested interest in selling phones with too many features so they can sell add-on
services, and the result is a complicated customer-hostile
mess.

I'd be happy to be surprised.
But I've come to the conclusion that the problems with the mobile phone business
are structural, and not even Apple can fix them. So this could wind up being
just a highly-anticipated disappointment.

Sunday - November 26, 2006 07:53 AM

Back in January of 2004 I was writing about
Microsoft's Portable Media Center, which tried to out-iPod the iPod by doing
video. Six months before the device actually hit the shelves and proved me
right, I concluded that Microsoft was on completely the wrong track because (a)
music, not video, is the killer app for music players, (b) consumers really,
truly don't want a Windows interface on a piece of consumer electronics, and (c)
the hardware and software need to be tightly integrated, not made by two
different companies.

That was then,
this is now, and now we have the Zune. Microsoft seems to have learned a lot
this time around, but now they're making an entirely new set of mistakes, as
one reviewer emphatically points
out.

Mirosoft's fundamental
problem is that the market has evolved over the past several years. Initially,
people bought MP3 players mostly to play their existing music collections, and
there was no way to buy music
online.

At the time, though, the music
companies were desperate to find an online model which worked (shutting down
Napster having done little to actually slow down the online sharing of
copyrighted music), and they were willing to give Apple fairly reasonable terms
for its iTunes Music Store: a fair, fixed price per track, and use restrictions
which most consumers can live with.

Now
that the iPod and iTunes Music Store have become such overwhelming successes,
though, the music companies wish they had been a little more demanding. Since
Apple has the vast majority of the market, no record label can dictate terms to
Apple: Apple can cut them off from the increasingly lucrative online market, and
hardly suffer at all.

Microsoft, on the
other hand, desperately wants to break Apple's lock, and needs to have a
well-stocked music store in order to gain a foothold for the Zune. The record
companies desperately want to force Apple to accept different terms for the
iTunes Music Store, which requires having a credible
competitor.

So the record companies
forced Microsoft to accept the kind of deal they wish they could get from Apple:
absurdly onerous DRM (the Zune locks up public domain music), variable pricing
(more popular music costs more), and even a cut of the revenue from Zune sales.
They even forced Microsoft to cripple the Zune's one and only innovative
feature, sharing music via
WiFi.

Microsoft has made its own
mistakes, too: the Zune utterly lacks the "cool factor" of the iPod, being too
big and clunky-looking; and not providing Vista support on Day 1 is a gaffe of
inexplicable magnitude.

Still, there's
no small amount of irony that the music companies' desperation to force
Microsoft to accept less-favorable terms for online music for the Zune will play
a large part in dooming the effort to create a credible competitor for the
iTunes Music Store.

It must be fun to
be a record company executive and live in a world where you think consumers are
so desperate for your product that they will buy it no matter what the price or
no matter how absurd the terms.

As it happens, I know a thing or two about
traffic measurement (though I'd hardly call myself an expert), and with all
respect to Andrew, he's answering the wrong
question.

Yes it is true that analyzing
an Apache server log isn't that difficult--with some pitfalls--but that's not
the issue. The issue isn't figuring out how much traffic you get, the issue is
proving to a third party (i.e. advertisers) how much traffic you get when you
have a financial incentive to inflate the
numbers.

I don't want to suggest that
Andrew is inflating his numbers--I have no way of knowing one way or the
other--but this is a very real problem. It was a problem back with Web 1.0 when
advertiser-supported websites were known to inflate their hits by various
methods, including forging the log files (it isn't very hard, and almost
impossible to detect).

So a lot of
advertisers are rightly skeptical of self-reported traffic statistics from
websites.

And I think zeFrank raises a
legitimate question when he asks why RB claims ten times the viewers yet at
least one independent traffic monitoring site suggests that zeFrank gets more.
You can't just casually dismiss a 10x discrepancy like that by saying that
Alexa's numbers are crap.

There's lots
of reasons why this could happen:

1)
Apples and Oranges

There's a gazillion
different way to track web traffic: "hits," "visits," "bytes served,"
"downloads," etc. None of these are perfect, and definitions of them are not
always consistent.

It appears that
Rocketboom's traffic claim is, essentially, the number of times video files are
served. Alexa's ranking is something else--I'm not sure exactly
what.

Someone pointed out that on the
RB website, every time someone loads a page it loads a video, whereas on zeFrank
the videos only load when a visitor actually clicks on the video. zeFrank's
behavior is more user-friendly, while RB's will substantially increase the
number of video files served (I would guess by a factor of at least two, and
likely more). This could account for a significant part of the
discrepancy.

2) Sampling Bias (aka
Alexa Sucks)

The group of people Alexa
samples to gather its statistics is not representative of Internet users as a
whole (but then, what is?). This could make a difference if RB and zeFrank
attracted substantially different demographics. I don't know if they do, but I
seriously doubt that Alexa's non-representative sample could account for an
order-of-magnitude error. 25% might be believable, but I'd be more inclined to
think that the two shows actually have very similar
demographics.

More significantly,
though, is the fact that Alexa only counts people who visit the site in their
web browser. Alexa completely misses anyone who downloads through iTunes or an
aggregator like Democracy, or something completely different like RB on TiVo. I
don't know what fraction of the total this might be, but I suspect it is
large.

What's more, since zeFrank has
more interactive stuff on his website, zeFrank viewers are more likely to fire
up their browser and go to the comments, etc. Rocketboom is more of an
old-media (oops, sorry for the naughty word) model, where you view the video and
that's about it. I would guess that people who subscribe to RB in iTunes (or
other aggregator) are less likely to visit the website than zeFrank
subscribers.

3) Network Caching/Web
Proxies

It is not safe to assume that
every person who views an online video got it from the host
website.

Some ISPs (most notoriously
AOL) will cache web pages on their internal network as a way to save bandwidth.
When an AOL subscriber requests a page, the AOL proxy server will first check to
see if it already has a copy--and if so, the subscriber gets it from the AOL
proxy, and the request never hits the host
site.

This is a very effective way to
save bandwidth, but it can wreak havoc on server statistics. On my company's
website, as much as 25% of our traffic comes from AOL, and on the static pages
we never see it in our logs (but we know it's there because we still get
requests for the dynamic web
pages).

However, it is possible to
configure your web server to instruct proxy servers (like AOL's) to not cache
your page. If Andrew set up his server this way but zeFrank didn't, this could
account for a large fraction of the
discrepancy.

This works in zeFrank's
favor: his viewership may actually be quite a bit larger than he thinks, because
a lot of people might be viewing his videos through ISPs which do web
caching.

4) Someone's
Lying

I started this message by
pointing out that the problem isn't figuring out how much traffic you've got.
The real problem is being able to prove it to a third
party.

Both Andrew and zeFrank are
selling advertising on their videos, and so both have a financial incentive to
make their traffic numbers look as big as possible. I'm not saying that
anyone's being dishonest--I have no way to judge. But it has happened in the
past, and there's no doubt it will happen again in the future. If all you're
releasing is your own web log analysis, those numbers are automatically suspect
if there's money involved. You want to have a trusted third party gathering the
data.

It is also possible to be
misleading without being out-and-out dishonest: for example, citing your peak
daily traffic in a way which implies that it's your average
traffic.

In summary: this is a much
more complicated question than just whether everyone's being honest. There are
many different ways to measure traffic, and some of the specific design and
configuration decisions made by both zeFrank and RB can lead to wildly different
numbers for their respective web traffic even if viewership is
similar.

So zeFrank's challenge ("Why
does RB claim so many more viewers than I get but Alexa says I'm ahead?") is
reasonable. On the other hand, there are many likely reasons which don't imply
any dishonesty on anyone's part.

And
this is an issue which will continue to come up as long as there's money in this
business.

Friday - August 04, 2006 10:15 AM

I've been thinking about the security vulnerability in WiFi network cards
announced yesterday, and I'm starting to wonder if there's really all that much
to this. The security hole was demonstrated on a MacBook with a third-party
WiFi card installed, and was shown in a video tape rather than in a live
demonstration. Very little additional information was given, other than that
the bug was in the WiFi driver.

This strikes me as odder and odder the more I
think about it.

To begin with, the
hardware used is really unusual--probably less than one in ten thousand MacBooks
will have a third party WiFi card installed, for the simple reason that all
MacBooks come with built-in WiFi. The only reasons to have a third party card
would be because the built-in WiFi broke (and the MacBook is a new machine, so
they're all still under warranty), or because the user wants to connect to two
networks simultaneously.

So it is
reasonable to ask why they would choose to use a hardware combination so unusual
as to be almost nonexistent in the real world. The given answer was that they
chose Mac to tweak the image of Apple as a secure platform (the actual quote is
somewhat more colorful), but used a third-party WiFi card because they didn't
want to leave the impression that it was just an Apple problem. Huh? A finer
example of pretzel-logic I have rarely
seen.

In the absence of more details,
it is entirely possible that this bizarre hardware was chosen precisely because
it has a unique vulnerability which does not exist on more common platforms.
This undermines the implication in the demonstration video that every WiFi
equipped computer is vulnerable.

To put
a finer point on it: if the flaw is in the WiFi device driver (as claimed), then
every combination of WiFi hardware and OS will have, potentially, an entirely
different set of vulnerabilities. Some drivers might be very bad, and others
very good. It is possible that this hardware was chosen for the demo because it
has a particularly bad driver, but that doesn't translate into a real-world
problem since almost no real users would be using the buggy driver. (What's
more, we shouldn't fault the manufacturer if they didn't rigorously test their
software with hardware that nobody uses. As with anything else, there is a law
of diminishing returns in testing.)

My
next problem has to do with the way the demo was carried out: on video. The
stated reason is that they didn't want anyone sniffing the WiFi connection and
discovering the attack before it could be patched. That's an entirely
reasonable concern. But it also conveniently avoids almost all independent
scrutiny of the attack, and even the most basic questions about the level of the
problem.

And that gets me to the third
issue I have with this claim. The people responsible for the demo are spinning
it as a major flaw affecting every WiFi equipped computer out there (and getting
a lot of publicity as a result), but have given almost no information about what
hardware and software might
actually
be vulnerable, and under what conditions. Some very basic questions have yet to
be answered about the scope of the problem, such
as:

* Is this a universal flaw,
something unique to this oddball hardware combination, or a class of problems
the severity of which can vary widely between configurations? For example, is
the MacBook's built-in WiFi also vulnerable? What about PowerPC-based Macs? Or
Windows laptops?

* This attack used
(effectively) a malicious base station. What network states make a computer
vulnerable? Is the computer only safe if the WiFi is actually turned off, or is
it safe when connected to a trusted base station? What about when it is
attached to an encrypted network? Or does it depend on the particular hardware?
What about configuring the computer to only attach to trusted
networks?

* Is firewall software an
effective defense against this class of attacks, or
not?

In sum, is this really the huge
problem that the headlines imply, or just a case of the hardware company (Apple)
failing to test its device drivers with a particular third-party add-on that
nobody is likely to install? Inquiring minds want to
know.

(And in the meanwhile, the
practical advice--turn off the WiFi when you're not using it--still stands. As
a bonus, turning off WiFi extends the battery life of the laptop.)

Even though there's no attack
"in the wild" as yet, consider this a warning. Until the computer manufacturers
issue updated drivers to fix the problems (which I don't expect will take long),
be sure to turn off your wireless network unless you're actually using
it.

Monday - April 17, 2006 05:26 PM

Om Malik wrote today on the virtues of simplicity in technology. Do one
thing and do it well, rather than trying to cram every possible feature into the
gizmo. Too many features ultimately confuse consumers and lead to long-term
dissatisfaction. Think iPod, the Palm V, the original Blackberry, and Google
before they started having Google-this and Google-that.

In technology, two powerful forces conspire to
make products more complex than they need to be. One is marketing, since
feature-checklist marketing demands that as soon as any competitor adds a new
feature (no matter how absurd), then you need to add it
too.

The other force is Wall Street,
which demands that technology companies post exponentially increasing revenue
growth even when a company's core market nears saturation. The only way out is
to expand into other markets by creating goofy hybrid products like
camera-phones, MP3-player-phones, smart-phones, game-player-phones, and other
hyphenated-phones (none of which are very good at being
phones).

All of which makes me harken
back to the last mobile phone I truly loved. It was a Nokia
8860, about the size of a matchbox with a slide-out keypad cover and a
chrome finish. It was an excellent phone, even though it lacked a color screen,
camera, downloadable ringtones, or Palm OS (but it did have some lo-res
black-and-white games). I dialed a number and talked to people; alternately,
people would dial my number and I could answer or not as I
chose.

Today I carry a Treo 650,
considered by many the best smartphone on the market. I do appreciate being
able to sync my address book to my computer (a useful capability the Nokia
lacked). In addition, the Treo will take really crappy pictures, play MP3 files
I load onto it with considerable difficulty, play lo-res games (but in color!),
and sometimes place or receive phone calls. The latter capability only works
intermittently, since the phone has a habit of turning itself off, randomly
rebooting, or sometimes just not working for unknown
reasons.

Ah, but now I only need to
carry one gizmo around instead of two! It is true that I'm more conscientious
about using my Palm organizer now that it's also my phone. But a Treo is as big
or bigger than a Nokia 8860 glued to a Palm V, and I still own both an iPod and
a digital camera (the music player and camera features of the Treo being so
indescribably awful as to be
useless).

The difference is that
instead of owning a highly functional and stylish phone, a highly functional and
stylish organizer, and a highly stylish and functional music player, I merely
own a highly functional and stylish music player and a clunky and marginally
functional organizer/phone. But both the Nokia 8860 and the Palm V have long
since been discontinued and are no longer supported in the
U.S.

Friday - March 10, 2006 10:36 AM

Technology buzzwords follow a well-travelled
trajectory from Creation to Buzz to Hyped to Overused to Meaningless to
Ignominious Death.

The term "Social Software" has now officially
made it to the Meaningless stage. "Social Software" is a derivative of the
already-dead buzzphrase "Social Networking Software" which went from Buzz to
Ignominious Death almost before the ink on the VC term sheets was
dry.

As evidence of the meaningless of
"Social Software," I present the "Social Software Top 10" list. The common thread
appears to be web sites built around user-generated content; no post-IPO
companies need apply.

But if all you
need to be "Social Software" is user-generated content, why isn't eBay on the
list? Surely that's a company built entirely around the collective content (in
the form of auctions) of its users. eBay's feedback system is arguably more
sophisticated a social mechanism than anything on MySpace, if more formalized
and limited to the context of online
auctions.

Any why not Amazon.com, which
has long included user-submitted reviews, and has a feedback and scoring
mechanism.

For that matter, the World
Wide Web itself is the ultimate Social Software, since the entire concept was
built around web users creating web pages. And how about Google, which
generates no content itself and relies on the links inside web pages to
determine what pages are relevant to any given
topic.

I look forward to the
ignominious death of the Social Software buzzphrase.

Tuesday - February 21, 2006 09:20 PM

Introduction:
Back in November I wrote about setting up a RAID array on my new Mac using a
bunch of external hard drives I had sitting around. RAID stands for Redundant
Array of Inexpensive Disks, and is a way to bind together multiple disks into
one larger and/or more reliable virtual disk. RAID sounds complicated, but it
is built in to Mac OS X, and isn't even that hard to set
up.

One application in particular is
extremely handy: setting up two (or more) hard drives to mirror each other to
provide a constant backup. Known as a Mirrored RAID (or RAID 0 in geek-speak),
this configuration keeps all the drives in the RAID array constantly backing
each other up. If any drive fails, the other(s) take over immediately and
seamlessly. In fact, you might not even know that your hard drive has failed,
unless you happen to see the
smoke.

Setting up a RAID array as your
boot drive in Mac OS X isn't hard, but it does take some time. The payoff is
worth it: you will be secure in the knowledge that you will never again lose any
data to a hard drive failure.

Materials:
You will need:

1) A
Mac

2) An external (preferably
FireWire) hard drive with at least as much capacity as your Mac's internal hard
drive. This is the "mirror drive" (and you can have more than one for extra
redundancy)

3) An external (FW or USB)
hard drive with at least as much space available as you are currently using on
your Mac. This will be a "scratch drive" you use for setting up the RAID, so
you can borrow a drive from a friend and return
it.

4) Your Mac OS X Installation Disk,
either one that came with the computer or one you used to upgrade
it.

To find out the capacity of your
hard drive, click on the drive in the Finder and select "Get Info" (apple-I).
If you're buying a new hard drive for your backup, get a drive with at least 8%
more capacity as Finder reports as the capacity in the Get Info window--that's
to allow for different ways of measuring hard drive capacity and formatting
overhead. So if Finder says your hard drive has a capacity of 232 GB, get at
least a 250 GB external drive. It's OK to get an external drive bigger than
your existing drive--we can recover the extra
space.

Overview:
There are essentially three steps:

1)
Copy the entire contents of your hard drive onto the scratch
disk.

2) Set up the RAID
array

3) Copy the contents of the hard
drive from the scratch disk onto the RAID
array.

Note: These
instructions are for 10.4; earlier versions may have some slight
differences.

The computer will boot
off the OS X Installation Disk. This is necessary because you're going to
completely rebuild the hard drive, which means that the hard drive can't be the
boot disk.

You will be asked to select
your language, then you will be at the screen to begin installing OS X. That's
not what you want, though: you want to launch Disk
Utility.

In the 10.4 installer, the
Disk Utility is found under the "Utilities" menu. Choose it, and Disk Utility
should launch.

Plug in your scratch
disk (if you haven't already). It should appear in the bar on the left-hand
side of the window, along with the Macintosh HD (your internal hard drive) and
the OS X Installation Disk.

Select your
Macintosh HD in the bar on the left-hand side of the
window.

From the File menu, choose
"New...Disk image from Macintosh HD". Save the new disk image somewhere on the
scratch disk.

Your computer will now
begin copying the entire contents of your internal hard drive into a file on the
scratch disk. Depending on how much stuff you have saved, this could take a
while; perhaps a few hours.

Once the
new disk image is complete, plug in the mirror drive (if you haven't already).
It should appear in the bar on the left-hand side of the
window.

If your mirror drive
is bigger than your internal hard drive: We
want to recover this extra space to be usable, so select the mirror drive, then
choose "Partition" in the area in the right-hand side of the window. Set up two
partitions, and move the bar between them until the first partition is the same
size (or slightly larger) than the size of your internal hard drive. Name the
first partition "Mirror" and the second partition "Extra
Space."

Now we're ready to configure
the RAID array. Select your internal hard drive, and choose "RAID" on the
right-hand side of the window. Create a new RAID Set named Macintosh HD, with
volume format "Mac OS Extended (Journaled)" and RAID Type "Mirrored RAID set".
Drag the mirror drive into the raid set (or the Mirror partition of the mirror
drive, if you set up two
partitions).

Click "Options" and make
sure "RAID Mirror AutoRebuild" is
checked.

Finally, click "Create" to
create the RAID
set.

Congratulations!
You've set up the RAID! Now all you need to do is copy your hard drive back
onto the new RAID set and you're
done.

Click "Restore" in the
right-hand side of the window. For "Source" drag the image of the internal hard
drive you created earlier. For Destination, drag your newly created RAID set.
Select "Erase Destination" and
"Restore."

Your computer will now copy
your hard drive back onto the RAID set. This may take a few
hours.

When it's done, you're done.
Quit Disk Utility, then go to Startup Disk (in 10.4, this is in the Utilities
menu) and choose Macintosh HD (your new RAID set) and click
Restart...

Done:
You now have a RAID mirror of your internal hard drive. Any time both drives
are connected and functional, the computer will keep them both synchronized. If
one fails (or is unplugged), the computer will keep working on the remaining
drive(s). If a drive is reconnected to the array, the computer will update it
to the right state.

To verify this,
once you've rebooted your computer you can open Disk Utility and choose your
Macintosh HD, then select "RAID" from the panel on the right hand side. It
should show all the disks in the array, along with the status of each. If you
unplug the external drive, it will change the array status to "Degraded" and
show the external drive as "offline." Plug it back in, and it should show the
external drive as "rebuilding."

Tuesday - January 17, 2006 04:00 PM

Unless you've been living in an igloo the past
several weeks, by now you've heard that the National Security Agency (NSA) has
apparently been conducting surveillance of American citizens without a warrant,
in apparent violation of FISA, the post-Nixon law which regulates such
activities.

Ignoring for the moment the question of whether
this activity is legal (I doubt it is) or advisable (they could have asked
Congress for permission), I'd like to think about what exactly the NSA might
have been doing. I don't have a security clearance and have never (to my
knowledge) come into possession of any classified information, so this is purely
a thought-experiment.

(And if I happen
to be right about a few things, please re-read the part about this being a
thought experiment before you come knocking on my door, Mr. FBI
Agent.)

Interception
CapabilitiesIt is fair to assume that
the NSA has the technical capability to eavesdrop on any international
communications anywhere in the world. Any phone call, e-mail, web connection,
fax transmission, etc. that crosses an international border can probably be
intercepted if there's enough interest (and budget) to do so. All long-distance
electronic communication travels in one of three media: copper, fiber optic, and
wireless. All three media are interceptable, and the "Echelon"
program was probably created for the express purpose of intercepting nearly all
international
communications.

Old-fashioned copper
cables are easy to tap. All you need is an induction coil. Wireless is
similarly easy: an antenna in the right place will do the job (and the NSA has
been known to rent offices which happen to be in useful locations for
intercepting signals from, say, the Russian
embassy).

For a long time, many people
assumed that fiber optic cables were secure, but that's not true of course.
Optical fibers will "leak" light if they are bent at a radius which is just a
little too tight, making it possible to tap a fiber without disrupting the
signal or cutting the cable. It has been reported for many years that the U.S.
operates one or more submarines built just for the purpose of tapping undersea
optical cables.

The biggest challenge
is probably free-space optics: using a laser to send signals through the air.
But free-space optical systems have a limited range because of atmospheric
problems (dust, birds, etc.), and so aren't used very often. But even
free-space optics can be intercepted (with difficulty) because the laser will
scatter off dust in the atmosphere, and a well-placed receiver may be able to
pick out the signal.

The NSA probably
also has the capability to intercept some in-country communications in foreign
countries of interest. Places like Russia, Iran, and the U.K. It's much harder
to be comprehensive with in-country communications, since the fewer the number
of hops, the fewer places to tap the signal. International communications also
tend to be funneled along a limited number of international trunks, while the
in-country networks are more meshed. Finally, international transmissions are
much more likely to be interesting to spies, so there isn't as much as incentive
to intercept purely domestic communications. So the NSA's capability for
in-country interception is probably focused on useful and/or easy targets like
government agencies and mobile phone
networks.

Finally, the NSA probably has
one big hole in its technical capabilities: there is probably little or no
ability to intercept purely domestic communications in the U.S. This is because
wiretapping inside the U.S. is outside the NSA's traditional mission, so there
would be no need to develop the capability (the FBI, on the other hand, can and
does wiretap calls inside the U.S., but the FBI has a very different mission and
structure than the NSA).

So, to
summarize: the NSA probably intercepts a very high percentage of communications
which crosses international borders, and a lesser percentage of in-country
communications in foreign countries, likely focused on mobile phone networks,
government agencies, and other groups or individuals we have a specific interest
in. There's probably very little interception of U.S. domestic communications,
except to the extent that it happens to cross international borders (this blog,
for example, is actually hosted in Canada; and for a time many domestic long
distance calls in the U.S. were being routed through
Canada).

What to Do With the
Data?It is absurd to think that the NSA
has the ability to actively monitor all the communications it probably
intercepts. There's simply too much data, and not enough people to analyze it
all.

But you can learn a lot without
knowing anything at all about what a message says, just who the sender and
recipient are (aka Traffic Analysis). Every time one person calls another
person, or sends an e-mail or fax, or visits a web site, you can infer a
relationship between the two people or organizations involved. With enough data
and time, you can construct the social network of everyone whose communications
you're tracking.

When you consider that
the NSA is likely doing traffic analysis on a significant fraction of the
electronic communications outside the U.S., that means that they have likely
built up a database of the social networks of a big chunk of the developed
world's population. This is an extremely useful thing to have if you're in the
espionage business, since it lets you immediately connect a suspected spy or
terrorist to all his or her friends and associates. If you know two or three
members of a terrorist cell, you can probably identify the rest of the cell
simply by looking for common
associates.

Going beyond simple traffic
analysis, there have been persistent rumors in the speech recognition community
that the NSA has an unusual interest in the technology. The civilian state of
the art (which probably isn't so different from the classified technology)
allows you to do fairly powerful word spotting in multiple languages, but
accurate machine transcription of a phone call is still difficult. Speech
recognition is computationally intensive, so it probably isn't used on all phone
calls, but on a subset of calls which excludes obviously uninteresting ones.
It's not clear how useful this actually is, since (presumably) most criminals,
spies, and terrorists know enough to speak in code over the phone. Simple word
substitution like substituting "double cheeseburger" for "bomb" will foil
automated speech recognition since computers aren't smart enough to know that
plotting to hide a double cheeseburger on an airplane makes no
sense.

It also makes sense for the NSA
to keep archives of communications which might be of future interest. The main
limitation is storage space, and a few billion dollars a year will buy you one
heck of a disk array. The advantage is that if you identify new enemies (for
example, when they fly airplanes into office towers) an archive will let you go
back and trace how the plot took shape, who else might have been involved, and
what other plots had been considered and might still be active. So there is
probably a giant disk array somewhere which holds a significant fraction of the
world's international
communications.

LimitsAll
this technology (amazing as it is) can't really do anything more than identify
potentially interesting relationships, where "interesting" is defined by the
people running the system. If you're only looking for islamic bomb plots,
you're not likely to catch the Japanese naval attack on Pearl Harbor. And
vice-versa.

But the real bane of any
large scale data mining operation is the number of false positives you generate:
things that look relevant to the computer, but are in fact completely useless.
Software designed to search for a needle in a haystack will inevitably supply
far more needle-like bits of hay than actual needles. An article in today's New
York Times suggests that the value of the data the NSA was able to supply to the
FBI was fairly limited, being names, e-mail addresses, or phone
numbers of people with connections to suspected terrorists. Since the NSA
identified thousands of "leads" and often couldn't provide any context (because
such information would be highly classified), there wasn't much the FBI could
do.

Wednesday - January 11, 2006 08:29 AM

This is terrible. Every time Apple introduces a
new laptop, I want to go out and replace mine right away.

So, no surprise, I have a case of laptop lust for
the new dual-core "MacBook" laptops announced yesterday. Even though it's a
first-generation design and almost guaranteed to be buggy. Even though it only
has a 15" screen, not the 17" monster I currently use. Even though the name,
well, let's just not discuss the name,
OK?

Hi, my name is Shivering Timbers,
and I'm a Mac addict.

Right now I'm
using a 17" PowerBook G4, and I love it. I won't be replacing it any time soon.
But that doesn't mean I can't have a little crush on the sexy new
machine.

Tuesday - January 03, 2006 08:30 PM

I've noticed something. Technology
sucks.

Let me be a little more specific. Technology,
and in particular the giant systems which big companies buy, usually doesn't
work properly, if at all. In comparison, home technology (for all its
shortcomings) is extremely robust, stable, and
usable.

And I'm not just talking about
the well-known limitations of certain Microsoft products. I'm talking about
everything
in IT, from databases to web sites to Three Letter Acronym implementations (CRM,
SFA, SCM, etc.). If a company spent more than a million dollars on it in the
past twenty years, it probably
sucks.

Maybe I'm painting things with
too-broad of a brush. But here are some examples I've observed in my
travels:

* A client of mine recently
migrated one of its mission-critical systems to a new technology. Lots of new
capability, but it sucks. It crashes weekly, and has been down for hours and
even once for days at a time.

* A
consulting firm I know once privately described its business model to me as
"cleaning up after Accenture." This firm employed about 150 programmers, and
the majority of its business was essentially picking up the pieces of big failed
projects and trying to get something to
work.

* Customer Relationship
Management software sucks so badly that googling "Why do CRM projects fail" returns over a million
hits, and industry publications regularly run articles on the topic. Those are
the same publications which are generally in the business of
promoting
new technologies. Yet companies continue to launch CRM projects. In fact, at
my prior job, I lived through
two
failed CRM projects in the space of less than five
years.

Some consultants claim that over
half of all big technology projects fail at one level or another, and that
nearly all never meet all the initial objectives. Companies would never accept
this dismal level of performance from other major capital expenditures--imagine
if there was only a 10% chance that a new office tower would function as
designed, and less than a 50% chance that it would even remain standing after
being completed. But in the world of IT, where technology sucks, this is the
norm.

There are lots of reasons why
technology sucks, and I don't know which are most important. Chances are that
it's a combination of factors:

* Too
much focus on short-term gains (both to the vendor and project ROI) at the
expense of building robust and stable
systems.

* Overpromising the
capabilities of new technology.

* A
system of software vendors (Oracle and its ilk) and systems integrators
(Accenture and its ilk) which makes it easy to blame someone else for failure,
and encourages drawing out failing projects to the bitter
end.

Monday - December 12, 2005 02:18 PM

There's an article in Wired today about a
technology for sequestering carbon dioxide underground. The
idea of pumping CO2 underground as a way to reduce greenhouse gasses is not new;
people have been talking about it for years.

The disadvantage of pumping CO2 is that the stuff
is still a gas (or liquid) under very high pressure deep underground, and
there's no guarantee that it won't escape someday. In fact, pockets of CO2
naturally exist in some rock formations, and it does escape from time to
time.

What's new is the discovery that
if you pump the CO2 into a basalt formation, then the CO2 chemically reacts with
the rock and forms calcium carbonate (that is, chalk) fairly quickly: within 18
months. Once the chemical reaction happens, the CO2 can't escape, since chalk
is solid and chemically stable. This is a permanent disposal method, assuming
it works as promised.

As it happens,
there's
lots
and
lots
of basalt in the world. Basalt is the rock which comes out of certain types of
volcanoes. It forms much of the ocean floor, the entire Hawaiian islands, and
bedrock in many parts of the
world.

Assuming that this technology
works (and it isn't too expensive), there's no reason why power plants in many
parts of the world couldn't simply inject their waste gasses right into deep
wells located on-site. This could provide the best possible energy solution: a
plant which burns coal (the cheapest and most plentiful fuel around), but has
zero emissions as everything which would normally go up the smokestack goes into
an injection well instead.